Who UDID it?!

It seems to be a mystery as to how the hacking group AntiSec recently came into possession of at least 1 million iOS UDIDs (Unique Device Identifier) and other interesting iPhone user details. The AntiSec group claimed to have hacked an FBI laptop. The FBI immediately denied it. If the FBI was not hacked, where else might the data have come from? Actually, there are a lot of possible sources for this leak.

A large percentage of iOS apps (up to 80% as we discovered in our recent study) can access user data, like UDIDs. UDIDs have become a common way to track user’s patterns within mobile apps, and across the mobile ecosystem. It is certainly commonplace for mobile apps to incorporate ad network or analytics framework SDKs that report device and user data back to the “mother ship” so to speak. Perhaps one of these companies, which specialize in both Analytics and Ad Networks, was compromised?

Another alternative would be that the UDID collection data was intercepted during the data transfer process? Perhaps an app was talking back to the company that developed it, and that this company was then hacked? Another option is that a significant point on the network was monitored and this data was collected that way? Based on available information, it’s certainly hard to tell. AntiSec makes an interesting case in the way they describe how they came into the data. We’ve seen hacks like this before, and plenty of legitimate data stolen and published in the past. This lends credibility to the fact that this could very well have happened again. The FBI has stated that there is no evidence indicating that they have been compromised, so, it’s hard to say.

A few Twitter posts indicate that it may be possible to correlate the leaked UDIDs back to a common app. That is an interesting theory to consider, and if that is the case, then it may come down to a very popular app (over 1 million UDIDs were leaked) that may be mishandling of sensitive data.

At Appthority, we’ve taken a look at hundreds of thousands of apps, and what we’ve found confirms the general perception: the use of ad networks and analytics packages designed to collect and ship-off user data is far too common. For example, popular free apps for iOS in the top 50 like Flashlight and Magic Piano incorporate analytics packages, these packages include support for accessing a device’s UDID, and for sending this and other data back to analytics company servers. So, the idea that the 1 million UDIDs could have originated from an app (or group of apps) that grabs and sends off a device’s UDID is of course a reasonable possibility.